In vSphere 7.0 Update 1 and later, you can activate Secure Encrypted Virtualization-Encrypted State (SEV-ES) on supported AMD CPUs and guest operating systems.
Currently, SEV-ES supports only AMD EPYC 7xx2 CPUs (code named "Rome") and later CPUs, and only versions of Linux kernels that include specific support for SEV-ES.
SEV-ES Components and Architecture
The SEV-ES architecture consists of the following components.
- AMD CPU, specifically, the Platform Security Processor (PSP) that manages encryption keys and handles encryption.
- Enlightened operating system, that is, an operating system that uses guest-initiated calls to the hypervisor.
- Virtual Machine Monitor (VMM) and Virtual Machine Executable (VMX), to initialize an encrypted virtual machine state during virtual machine power-on, and also to handle calls from the guest operating system.
- VMkernel driver, to communicate unencrypted data between the hypervisor and the guest operating system.
Implementing and Managing SEV-ES on ESXi
You must first activate SEV-ES in a system's BIOS configuration. See the documentation for your system for more information about accessing the BIOS configuration. After you have activated SEV-ES in the BIOS for your system, you can then add SEV-ES to a virtual machine.
You use either the vSphere Client (starting in vSphere 7.0 Update 2) or PowerCLI commands to activate and deactivate SEV-ES on virtual machines. You can create new virtual machines with SEV-ES, or activate SEV-ES on existing virtual machines. Privileges to manage virtual machines activated with SEV-ES are the same as for managing regular virtual machines.
Unsupported VMware Features on SEV-ES
The following features are not supported when SEV-ES is activated.
- System Management Mode
- Powered-on snapshots (however, no-memory snapshots are supported)
- Hot add or remove of CPU or memory
- VMware Fault Tolerance
- Clones and instant clones
- Guest Integrity
- UEFI Secure Boot